@atom8n/n8n 2.4.7 → 2.5.1

package/dist/modules/sso-oidc/sso-oidc.module.js

@@ -0,0 +1,55 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcModule = void 0;
+const decorators_1 = require("@n8n/decorators");
+const di_1 = require("@n8n/di");
+let OidcModule = class OidcModule {
+    async init() {
+        await Promise.resolve().then(() => __importStar(require('./oidc.controller.ee')));
+        const { OidcService } = await Promise.resolve().then(() => __importStar(require('./oidc.service.ee')));
+        await di_1.Container.get(OidcService).init();
+    }
+};
+exports.OidcModule = OidcModule;
+exports.OidcModule = OidcModule = __decorate([
+    (0, decorators_1.BackendModule)({ name: 'sso-oidc', licenseFlag: 'feat:oidc', instanceTypes: ['main'] })
+], OidcModule);

package/dist/modules/sso-saml/constants.d.ts

@@ -0,0 +1,3 @@
+export declare const SAML_PREFERENCES_DB_KEY = "features.saml";
+export declare const SAML_LOGIN_LABEL = "sso.saml.loginLabel";
+export declare const SAML_LOGIN_ENABLED = "sso.saml.loginEnabled";

package/dist/modules/sso-saml/constants.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SAML_LOGIN_ENABLED = exports.SAML_LOGIN_LABEL = exports.SAML_PREFERENCES_DB_KEY = void 0;
+exports.SAML_PREFERENCES_DB_KEY = 'features.saml';
+exports.SAML_LOGIN_LABEL = 'sso.saml.loginLabel';
+exports.SAML_LOGIN_ENABLED = 'sso.saml.loginEnabled';

package/dist/modules/sso-saml/errors/invalid-saml-metadata-url.error.d.ts

@@ -0,0 +1,4 @@
+import { UserError } from 'n8n-workflow';
+export declare class InvalidSamlMetadataUrlError extends UserError {
+    constructor(url: string);
+}

package/dist/modules/sso-saml/errors/invalid-saml-metadata-url.error.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InvalidSamlMetadataUrlError = void 0;
+const n8n_workflow_1 = require("n8n-workflow");
+class InvalidSamlMetadataUrlError extends n8n_workflow_1.UserError {
+    constructor(url) {
+        super(`Failed to produce valid SAML metadata from ${url}`);
+    }
+}
+exports.InvalidSamlMetadataUrlError = InvalidSamlMetadataUrlError;

package/dist/modules/sso-saml/errors/invalid-saml-metadata.error.d.ts

@@ -0,0 +1,4 @@
+import { UserError } from 'n8n-workflow';
+export declare class InvalidSamlMetadataError extends UserError {
+    constructor(detail?: string);
+}

package/dist/modules/sso-saml/errors/invalid-saml-metadata.error.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InvalidSamlMetadataError = void 0;
+const n8n_workflow_1 = require("n8n-workflow");
+class InvalidSamlMetadataError extends n8n_workflow_1.UserError {
+    constructor(detail = '') {
+        super(`Invalid SAML metadata${detail ? ': ' + detail : ''}`);
+    }
+}
+exports.InvalidSamlMetadataError = InvalidSamlMetadataError;

package/dist/modules/sso-saml/middleware/saml-enabled-middleware.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from 'express';
+export declare const samlLicensedAndEnabledMiddleware: RequestHandler;
+export declare const samlLicensedMiddleware: RequestHandler;

package/dist/modules/sso-saml/middleware/saml-enabled-middleware.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.samlLicensedMiddleware = exports.samlLicensedAndEnabledMiddleware = void 0;
+const sso_helpers_1 = require("../../../sso.ee/sso-helpers");
+const samlLicensedAndEnabledMiddleware = (_, res, next) => {
+    if ((0, sso_helpers_1.isSamlLicensedAndEnabled)()) {
+        next();
+    }
+    else {
+        res.status(403).json({ status: 'error', message: 'Unauthorized' });
+    }
+};
+exports.samlLicensedAndEnabledMiddleware = samlLicensedAndEnabledMiddleware;
+const samlLicensedMiddleware = (_, res, next) => {
+    if ((0, sso_helpers_1.isSamlLicensed)()) {
+        next();
+    }
+    else {
+        res.status(403).json({ status: 'error', message: 'Unauthorized' });
+    }
+};
+exports.samlLicensedMiddleware = samlLicensedMiddleware;

package/dist/modules/sso-saml/saml-helpers.d.ts

@@ -0,0 +1,19 @@
+import type { SamlAcsDto, SamlPreferences } from '@n8n/api-types';
+import type { User } from '@n8n/db';
+import type { FlowResult } from 'samlify/types/src/flow';
+import type { SamlAttributeMapping, SamlUserAttributes } from './types';
+export declare function setSamlLoginEnabled(enabled: boolean): Promise<void>;
+export declare function setSamlLoginLabel(label: string): void;
+export declare const isSamlPreferences: (candidate: unknown) => candidate is SamlPreferences;
+export declare function createUserFromSamlAttributes(attributes: SamlUserAttributes): Promise<User>;
+export declare function updateUserFromSamlAttributes(user: User, attributes: SamlUserAttributes): Promise<User>;
+type GetMappedSamlReturn = {
+    attributes: SamlUserAttributes | undefined;
+    missingAttributes: string[];
+};
+export declare function getMappedSamlAttributesFromFlowResult(flowResult: FlowResult, attributeMapping: SamlAttributeMapping, jitClaimNames: {
+    instanceRole: string | null;
+    projectRoles: string | null;
+}): GetMappedSamlReturn;
+export declare function isConnectionTestRequest(payload: SamlAcsDto): boolean;
+export {};

package/dist/modules/sso-saml/saml-helpers.js

@@ -0,0 +1,129 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isSamlPreferences = void 0;
+exports.setSamlLoginEnabled = setSamlLoginEnabled;
+exports.setSamlLoginLabel = setSamlLoginLabel;
+exports.createUserFromSamlAttributes = createUserFromSamlAttributes;
+exports.updateUserFromSamlAttributes = updateUserFromSamlAttributes;
+exports.getMappedSamlAttributesFromFlowResult = getMappedSamlAttributesFromFlowResult;
+exports.isConnectionTestRequest = isConnectionTestRequest;
+const config_1 = require("@n8n/config");
+const db_1 = require("@n8n/db");
+const di_1 = require("@n8n/di");
+const n8n_workflow_1 = require("n8n-workflow");
+const auth_error_1 = require("../../errors/response-errors/auth.error");
+const internal_server_error_1 = require("../../errors/response-errors/internal-server.error");
+const password_utility_1 = require("../../services/password.utility");
+const sso_helpers_1 = require("../../sso.ee/sso-helpers");
+const service_provider_ee_1 = require("./service-provider.ee");
+async function setSamlLoginEnabled(enabled) {
+    const currentAuthenticationMethod = (0, sso_helpers_1.getCurrentAuthenticationMethod)();
+    if (enabled && !(0, sso_helpers_1.isEmailCurrentAuthenticationMethod)() && !(0, sso_helpers_1.isSamlCurrentAuthenticationMethod)()) {
+        throw new internal_server_error_1.InternalServerError(`Cannot switch SAML login enabled state when an authentication method other than email or saml is active (current: ${currentAuthenticationMethod})`);
+    }
+    const targetAuthenticationMethod = !enabled && currentAuthenticationMethod === 'saml' ? 'email' : currentAuthenticationMethod;
+    di_1.Container.get(config_1.GlobalConfig).sso.saml.loginEnabled = enabled;
+    await (0, sso_helpers_1.setCurrentAuthenticationMethod)(enabled ? 'saml' : targetAuthenticationMethod);
+}
+function setSamlLoginLabel(label) {
+    di_1.Container.get(config_1.GlobalConfig).sso.saml.loginLabel = label;
+}
+const isSamlPreferences = (candidate) => {
+    const o = candidate;
+    return (typeof o === 'object' &&
+        typeof o.metadata === 'string' &&
+        typeof o.mapping === 'object' &&
+        o.mapping !== null &&
+        o.loginEnabled !== undefined);
+};
+exports.isSamlPreferences = isSamlPreferences;
+async function createUserFromSamlAttributes(attributes) {
+    const randomPassword = (0, n8n_workflow_1.randomString)(18);
+    const userRepository = di_1.Container.get(db_1.UserRepository);
+    return await userRepository.manager.transaction(async (trx) => {
+        const { user } = await userRepository.createUserWithProject({
+            email: attributes.email.toLowerCase(),
+            firstName: attributes.firstName,
+            lastName: attributes.lastName,
+            role: { slug: 'global:member' },
+            password: await di_1.Container.get(password_utility_1.PasswordUtility).hash(randomPassword),
+        }, trx);
+        await trx.save(trx.create(db_1.AuthIdentity, {
+            providerId: attributes.userPrincipalName,
+            providerType: 'saml',
+            userId: user.id,
+        }));
+        return user;
+    });
+}
+async function updateUserFromSamlAttributes(user, attributes) {
+    if (!attributes.email)
+        throw new auth_error_1.AuthError('Email is required to update user');
+    if (!user)
+        throw new auth_error_1.AuthError('User not found');
+    let samlAuthIdentity = user?.authIdentities.find((e) => e.providerType === 'saml');
+    if (!samlAuthIdentity) {
+        samlAuthIdentity = new db_1.AuthIdentity();
+        samlAuthIdentity.providerId = attributes.userPrincipalName;
+        samlAuthIdentity.providerType = 'saml';
+        samlAuthIdentity.user = user;
+        user.authIdentities.push(samlAuthIdentity);
+    }
+    else {
+        samlAuthIdentity.providerId = attributes.userPrincipalName;
+    }
+    await di_1.Container.get(db_1.AuthIdentityRepository).save(samlAuthIdentity, { transaction: false });
+    user.firstName = attributes.firstName;
+    user.lastName = attributes.lastName;
+    const resultUser = await di_1.Container.get(db_1.UserRepository).save(user, { transaction: false });
+    if (!resultUser)
+        throw new auth_error_1.AuthError('Could not update User');
+    const userWithRole = await di_1.Container.get(db_1.UserRepository).findOne({
+        where: { id: resultUser.id },
+        relations: ['role'],
+        transaction: false,
+    });
+    if (!userWithRole)
+        throw new auth_error_1.AuthError('Failed to fetch user!');
+    return userWithRole;
+}
+function getMappedSamlAttributesFromFlowResult(flowResult, attributeMapping, jitClaimNames) {
+    const result = {
+        attributes: undefined,
+        missingAttributes: [],
+    };
+    if (flowResult?.extract?.attributes) {
+        const attributes = flowResult.extract.attributes;
+        const email = attributes[attributeMapping.email];
+        const firstName = attributes[attributeMapping.firstName];
+        const lastName = attributes[attributeMapping.lastName];
+        const userPrincipalName = attributes[attributeMapping.userPrincipalName];
+        result.attributes = {
+            email,
+            firstName,
+            lastName,
+            userPrincipalName,
+        };
+        if (jitClaimNames.instanceRole && typeof attributes[jitClaimNames.instanceRole] === 'string') {
+            result.attributes.n8nInstanceRole = attributes[jitClaimNames.instanceRole];
+        }
+        if (jitClaimNames.projectRoles && attributes[jitClaimNames.projectRoles]) {
+            const projectRolesFromFlowResult = attributes[jitClaimNames.projectRoles];
+            result.attributes.n8nProjectRoles = Array.isArray(projectRolesFromFlowResult)
+                ? projectRolesFromFlowResult
+                : [projectRolesFromFlowResult];
+        }
+        if (!email)
+            result.missingAttributes.push(attributeMapping.email);
+        if (!userPrincipalName)
+            result.missingAttributes.push(attributeMapping.userPrincipalName);
+        if (!firstName)
+            result.missingAttributes.push(attributeMapping.firstName);
+        if (!lastName)
+            result.missingAttributes.push(attributeMapping.lastName);
+    }
+    return result;
+}
+function isConnectionTestRequest(payload) {
+    return payload.RelayState === (0, service_provider_ee_1.getServiceProviderConfigTestReturnUrl)();
+}

package/dist/modules/sso-saml/saml-validator.d.ts

@@ -0,0 +1,16 @@
+import { Logger } from '@n8n/backend-common';
+import type { IdentityProviderInstance } from 'samlify';
+export declare class SamlValidator {
+    private readonly logger;
+    private xmlMetadata;
+    private xmlProtocol;
+    private preload;
+    constructor(logger: Logger);
+    private xmllint;
+    init(): Promise<void>;
+    validateIdentiyProvider(idp: IdentityProviderInstance): void;
+    validateMetadata(metadata: string): Promise<boolean>;
+    validateResponse(response: string): Promise<boolean>;
+    private loadSchemas;
+    private validateXml;
+}

package/dist/modules/sso-saml/saml-validator.js

@@ -0,0 +1,129 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SamlValidator = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const di_1 = require("@n8n/di");
+const samlify_1 = require("samlify");
+const invalid_saml_metadata_error_1 = require("./errors/invalid-saml-metadata.error");
+let SamlValidator = class SamlValidator {
+    constructor(logger) {
+        this.logger = logger;
+        this.preload = [];
+    }
+    async init() {
+        await this.loadSchemas();
+        this.xmllint = await Promise.resolve().then(() => __importStar(require('xmllint-wasm')));
+    }
+    validateIdentiyProvider(idp) {
+        const binding = idp.entityMeta.getSingleSignOnService(samlify_1.Constants.wording.binding.redirect);
+        if (typeof binding !== 'string') {
+            throw new invalid_saml_metadata_error_1.InvalidSamlMetadataError('only SAML redirect binding is supported.');
+        }
+    }
+    async validateMetadata(metadata) {
+        const validXML = await this.validateXml('metadata', metadata);
+        if (validXML) {
+            const idp = (0, samlify_1.IdentityProvider)({
+                metadata,
+            });
+            this.validateIdentiyProvider(idp);
+        }
+        return validXML;
+    }
+    async validateResponse(response) {
+        return await this.validateXml('response', response);
+    }
+    async loadSchemas() {
+        this.xmlProtocol = (await Promise.resolve().then(() => __importStar(require('./schema/saml-schema-protocol-2.0.xsd')))).xmlFileInfo;
+        this.xmlMetadata = (await Promise.resolve().then(() => __importStar(require('./schema/saml-schema-metadata-2.0.xsd')))).xmlFileInfo;
+        this.preload = (await Promise.all([
+            Promise.resolve().then(() => __importStar(require('./schema/saml-schema-assertion-2.0.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/xmldsig-core-schema.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/xenc-schema.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/xml.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/ws-federation.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/oasis-200401-wss-wssecurity-secext-1.0.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/oasis-200401-wss-wssecurity-utility-1.0.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/ws-addr.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/metadata-exchange.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/ws-securitypolicy-1.2.xsd'))),
+            Promise.resolve().then(() => __importStar(require('./schema/ws-authorization.xsd'))),
+        ])).map((m) => m.xmlFileInfo);
+    }
+    async validateXml(type, contents) {
+        const fileName = `${type}.xml`;
+        const schema = type === 'metadata' ? [this.xmlMetadata] : [this.xmlProtocol];
+        const preload = [type === 'metadata' ? this.xmlProtocol : this.xmlMetadata, ...this.preload];
+        try {
+            const validationResult = await this.xmllint.validateXML({
+                xml: [{ fileName, contents }],
+                extension: 'schema',
+                schema,
+                preload,
+            });
+            if (validationResult?.valid) {
+                this.logger.debug(`SAML ${type} is valid`);
+                return true;
+            }
+            else {
+                this.logger.debug(`SAML ${type} is invalid`);
+                this.logger.warn(validationResult
+                    ? validationResult.errors
+                        .map((error) => `${error.message} - ${error.rawMessage}`)
+                        .join('\n')
+                    : '');
+            }
+        }
+        catch (error) {
+            this.logger.warn(error);
+        }
+        return false;
+    }
+};
+exports.SamlValidator = SamlValidator;
+exports.SamlValidator = SamlValidator = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger])
+], SamlValidator);

package/dist/modules/sso-saml/saml.controller.ee.d.ts

@@ -0,0 +1,50 @@
+import { SamlAcsDto, SamlPreferences, SamlToggleDto } from '@n8n/api-types';
+import { AuthenticatedRequest } from '@n8n/db';
+import { Response } from 'express';
+import { AuthService } from '../../auth/auth.service';
+import { EventService } from '../../events/event.service';
+import { AuthlessRequest } from '../../requests';
+import { UrlService } from '../../services/url.service';
+import { SamlService } from './saml.service.ee';
+export declare class SamlController {
+    private readonly authService;
+    private readonly samlService;
+    private readonly urlService;
+    private readonly eventService;
+    constructor(authService: AuthService, samlService: SamlService, urlService: UrlService, eventService: EventService);
+    getServiceProviderMetadata(_: AuthlessRequest, res: Response): Promise<Response<any, Record<string, any>>>;
+    configGet(): Promise<{
+        entityID: string;
+        returnUrl: string;
+        ignoreSSL: boolean;
+        loginBinding: "redirect" | "post";
+        authnRequestsSigned: boolean;
+        wantAssertionsSigned: boolean;
+        wantMessageSigned: boolean;
+        acsBinding: "redirect" | "post";
+        signatureConfig: {
+            prefix: string;
+            location: {
+                action: "before" | "after" | "prepend" | "append";
+                reference: string;
+            };
+        };
+        relayState: string;
+        mapping?: import("@n8n/api-types").SamlPreferencesAttributeMapping | undefined;
+        metadata?: string | undefined;
+        metadataUrl?: string | undefined;
+        loginEnabled?: boolean | undefined;
+        loginLabel?: string | undefined;
+    }>;
+    configPost(_req: AuthenticatedRequest, _res: Response, payload: SamlPreferences): Promise<SamlPreferences | undefined>;
+    toggleEnabledPost(_req: AuthenticatedRequest, res: Response, { loginEnabled }: SamlToggleDto): Promise<Response<any, Record<string, any>>>;
+    acsGet(req: AuthlessRequest, res: Response): Promise<void | Response<any, Record<string, any>>>;
+    acsPost(req: AuthlessRequest, res: Response, payload: SamlAcsDto): Promise<void | Response<any, Record<string, any>>>;
+    private acsHandler;
+    initSsoGet(req: AuthlessRequest<{}, {}, {}, {
+        redirect?: string;
+    }>, res: Response): Promise<string | Response<any, Record<string, any>>>;
+    configTestGet(_: AuthenticatedRequest, res: Response): Promise<string | Response<any, Record<string, any>>>;
+    private handleInitSSO;
+    private validateRedirectUrl;
+}